东方微点-ag旗舰厅首页

蠕虫程序

worm.win32.autorun.vku

捕获时间

2011-04-14

危害等级

中

病毒症状

  该样本是使用“vc ”编写的“蠕虫程序”，由微点主动防御软件自动捕获, 采用“upx”加壳方式，企图躲避特征码扫描，加壳后长度为“83,210”字节，图标为“”，使用“exe”扩展名，通过文件捆绑、网页挂马、下载器下载等方式进行传播。病毒主要目的是盗取用户信息，创建流氓广告图标，点击后获取网络流量。

感染对象

windows 2000/windows xp/windows 2003/windows vista/ windows 7

传播途径

文件捆绑、网页挂马、下载器下载

防范措施

已安装使用微点主动防御软件的用户，无须任何设置，微点主动防御将自动保护您的系统免受该病毒的入侵和破坏。无论您是否已经升级到最新版本，微点主动防御都能够有效清除该病毒。如果您没有将微点主动防御软件升级到最新版，微点主动防御软件在发现该病毒后将报警提示您发现“未知间谍”，请直接选择删除处理（如图1）

图1 微点主动防御软件自动捕获未知病毒（未升级）

如果您已经将微点主动防御软件升级到最新版本，微点将报警提示您发现木马"worm.win32.autorun.vku”，请直接选择删除（如图2）。

图2   微点主动防御软件升级后截获已知病毒

未安装微点主动防御软件的手动解决办法：

1．手动删除文件
删除 %systemroot%\system32\jnirelupeq\explorer.exe
删除 %systemroot%\system32\xecpibaiia\smss.exe
删除 %systemdriver%\gwyivodjab.txt（随机名）
删除 %systemdriver%\hccguiacas.jpg（随机名）
删除 %systemdriver%\tvaaixmniw.gif（随机名）
删除 %systemdriver%\fyisyelrhy.doc（随机名）
删除 %systemdriver%\qrkgwteuwg.bmp（随机名）
删除 %systemdriver%\program files\common files\bosc.dll
删除 %systemdriver%\q9q.dll
删除 %systemroot%\system32\drivers\kpscc.sys
删除 x:\ my documamts.exe(各个磁盘根目录)

2．手动删除注册表

删除  hkey_local_machine\system\currentcontrolset\services\dmusic
名称：imagepath      
数据：\??\c:\windows\system32\drivers\kpscc.sys

删除  hkey_local_machine\software\thunder network\thunderoem\thunder_backwnd
名称：path      
数据：c:\q9q.dll

删除 hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer\run
名称：xecpibaiia
数据：c:\windows\system32\xecpibaiia\smss.exe

删除 hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer\run
名称：jnirelupeq
数据：c:\windows\system32\jnirelupeq\explorer.exe

删除 hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\下大量被劫持项

删除 hkey_classes_root\exefile
名称：nevershowext
数据：1

删除 hkey_current_user\software\microsoft\windows\currentversion\policies\associations
名称：modriskfiletypes
数据：.exe

查找与clsid {f986cc17-37c0-4585-b7d9-15f2161f0584}相关的项删除。

3．手动导入正确的注册表

hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}
hkey_local_machine\system\currentcontrolset\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}
hkey_local_machine\system\controlset001\control\safeboot\minimal\{4d36e969-e325-11ce-bfc1-08002be10318}
hkey_local_machine\system\controlset001\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}
hkey_classes_root\*\shellex\contextmenuhandlers\sd360
hkey_classes_root\directory\shellex\contextmenuhandlers\sd360
hkey_classes_root\folder\shellex\contextmenuhandlers\sd360
hkey_classes_root\*\shellex\contextmenuhandlers\risingravext
hkey_classes_root\directory\shellex\contextmenuhandlers\risingravext
hkey_classes_root\folder\shellex\contextmenuhandlers\risingravext

4．下载微点流氓桌面清除工具和微点文件夹病毒清除工具进行查杀。

变量声明：

%systemdriver%　　　　　　　系统所在分区，通常为“c:\”
%systemroot%　　　　　　　　windodws所在目录，通常为“c:\windows”
%documents and settings%　　用户文档目录，通常为“c:\documents and settings”
%temp%　　　　　　　　　　　临时文件夹，通常为“c:\documents and settings\当前用户名称\local settings\temp”
%programfiles%　　　　　　　系统程序默认安装目录，通常为：“c:\programfiles”

病毒分析：

1.建立进程快照查找avp.exe等杀软进程，如果查找到，先判断"c:\recycler"文件夹和"c:\recovery"文件夹以及"c:\system volume information"文件夹的属性是否为系统只读属性，如果是，继续执行后面的程序。

2.如果没有查找到，遍历用户磁盘根目录信息。然后建立线程函数，目的是将"cmd.exe"，"netsh.exe"，"conime.exe"，"regedit.exe"，"wscript.exe"，"regsvr32.exe"，"rundll32.exe"，"wmiprvse.exe"，"ipconfig.exe"等进程终止结束掉。

3. 如果有已命名互斥体对象"ca6f06b7575bf3a0b24462db96e36efe1"和"ca6f06b7575bf3a0b24462db96e36efe2"创建一个新句柄，主要是防止程序多次运行。如果没有该已命名互斥体对象，就继续往下执行。

4.创建文件夹目录：“c:\windows\system32\xecpibaiia”和“c:\windows\system32\jnirelupeq”休眠1s时间，然后遍历文件查找" c:\windows\system32\jnirelupeq\explorer.exe "，
如果找到，将该文件转换成本地时间以及dos时间和日期，并设置" c:\windows\system32\jnirelupeq\explorer.exe "正常属性，着删除" c:\windows\system32\jnirelupeq\explorer.exe "文件。
如果没有找到 ，遍历文件查找" c:\windows\system32\xecpibaiia\smss.exe "，如果找到，将文件转换成本地时间和dos时间，并设置" c:\windows\system32\xecpibaiia\smss.exe "正常属性，删除" c:\windows\system32\xecpibaiia\smss.exe "文件。

5.休眠一定时间，然后将病毒自身以替换的方式拷贝并重新命名为：“c:\windows\system32\xecpibaiia\smss.exe”和“c:\windows\system32\jnirelupeq\explorer.exe”,紧接着分别启动这两个相应的进程。

6.建立互斥体变量“ca6f06b7575bf3a0b24462db96e36efe1”防止程序多次运行。然后提升当前用户进程权限为"sedebugprivilege"，并建立线程函数，线程函数主要是休眠3s时间，遍历文件查找"c:\program files\internet explorer\iexplore.exe",找到以后将该文件转换成本地时间以及dos时间和日期，创建文件：“c:\gwyivodjab.txt”, “c:\hccguiacas.jpg”, “c:\tvaaixmniw.gif”, “c:\fyisyelrhy.doc”, “c:\qrkgwteuwg.bmp”并设置相应的正常文件属性，这5个文件都是随机的名称。如果没有找到，就在其他d：盘符建立5个随机名称的文件。创建文件夹：“c:\vsps”并在将病毒自身以替换的方式拷贝并重新命名为：“c:\vsps\vsps.exe”并设置文件和文件夹的属性为系统隐藏属性。紧接着建立进程快照，查找进程名为："rstray.exe"，"360tray.exe"，找到以后退出主程序。如没有找到，先删除"c:\program files\common files\bosc.dll"文件，然后在同一样的目录下建立"c:\program files\common files\bosc.dll"文件，并加载之。以"installhook"为参数建立全局的键盘和鼠标钩子。以"hideprocess"参数隐藏相应的进程。并将该dll文件设置为系统隐藏属性。

7. 建立互斥体变量“ca6f06b7575bf3a0b24462db96e36efe2”防止程序多次运行。然后提升当前用户进程权限为"sedebugprivilege"，并建立线程函数，线程函数主要是将"cmd.exe"，"netsh.exe"，"conime.exe"，"regedit.exe"，"wscript.exe"，"regsvr32.exe"，"rundll32.exe"，"wmiprvse.exe"，"ipconfig.exe"等进程终止结束掉。然后将病毒自身设置为系统隐藏属性，休眠3s时间，遍历文件查找"c:\windows\system32\reg.exe"，"c:\windows\system32\wscript.exe"，"c:\windows\regedit.exe"等文件，如果找到，将该文件转换成本地时间以及dos时间和日期，然后读取这3个相应文件之后没有释放该文件的句柄，目的是使用户不能使用这3个文件。如果没有找到就退出程序。设置注册表信息：hkey_local_machine\software\tencent\qq2009，键值为：install，遍历文件查找" "c:\program files\tencent\qq\bin\shareds.dll"，如果找到，将该文件转换成本地时间以及dos时间和日期，如果没有找到，将
  "c:\q9q.dll"文件设置为系统隐藏属性，然后删除，休眠300ms时间，紧接着创建"c:\q9q.dll"文件，休眠300ms时间，遍历文件查找" c:\q9q.dll "如果找到，将该文件转换成本地时间以及dos时间和日期，然后将"c:\program files\tencent\qq\bin\tasktray.dll"以移动方式并重新命名到"c:\program files\tencent\qq\bin\shareds.dll"，休眠300ms时间，紧接着将刚刚创建的"c:\q9q.dll"文件以移动的方式并重新命名到"c:\program files\tencent\qq\bin\tasktray.dll"，休眠2s时间，遍历文件查找" c:\q9q.dll "如果找到，将该文件转换成本地时间以及dos时间和日期。如果没有找到，设置注册表信息：hkey_local_machine\software\tencent\qq，键值为：install，以及hkey_local_machine\software\thunder network\thunderoem\thunder_backwnd  名称：path  ,数据："c:\q9q.dll"，将"c:\program files\"文件夹设置系统隐藏属性。还有将“c:\documents and settings\all users\「开始」菜单\程序\启动\xinabini.exe”文件设置为系统隐藏属性，以及“c:\documents and settings\当前用户\「开始」菜单\程序\启动\pbkxjkmeqm.exe”文件设置为系统隐藏属性。

8.获取“c:\windows\system32\drivers”目录信息。遍历查找"c:\windows\system32\drivers\kpscc.sys"文件，如果没有，就建立驱动文件。并建立相应的服务注册表信息：
hkey_local_machine\system\currentcontrolset\services\dmusic
名称：imagepath      
数据：\??\c:\windows\system32\drivers\kpscc.sys

9.然后建立管道"\\.\myfl"，与驱动进行通信，终止结束相关的杀软进程。并在注册表项hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options下建立大量新键值劫持大量安全软件，使其不能运动。并分别再次以外部命令的方式启动" c:\windows\system32\xecpibaiia\smss.exe " 进程和“c:\windows\system32\ jnirelupeq\explorer.exe”进程。

10.该病毒将"c:\windows\system32\drivers\etc\hosts"文件，"c:\recycler\winlogon.exe"文件，"c:\windows\system32\ravext.dll"文件，"c:\windows\system32\bsmain.exe"文件通过移动的方式，重新启动删除这些文件。
删除应用于360和瑞星杀软的右键菜单项于注册表的项：
hkey_classes_root\*\shellex\contextmenuhandlers\sd360
hkey_classes_root\directory\shellex\contextmenuhandlers\sd360
hkey_classes_root\folder\shellex\contextmenuhandlers\sd360
hkey_classes_root\*\shellex\contextmenuhandlers\risingravext
hkey_classes_root\directory\shellex\contextmenuhandlers\risingravext
hkey_classes_root\folder\shellex\contextmenuhandlers\risingravext

11.修改注册表键值：目的是使隐藏文件和文件夹不可见.
   hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced
名称：showsuperhidden
数据：0
修改注册表键值：目的是使桌面ie图标不可用。
hkey_current_user\software\microsoft\windows\currentversion\explorer\hidedesktopicons\newstartpanel
名称: {871c5380-42a0-1069-a2ea-08002b30309d}
数据：1
创建注册表信息:目的是使用户不可使用windows经典桌面主题
hkey_current_user\software\microsoft\windows\currentversion\explorer\hidedesktopicons\classicstartmenu
名称：{871c5380-42a0-1069-a2ea-08002b30309d}
数据：1

12.删除" c:\documents and settings\当前用户\桌面\360杀毒.lnk"快捷方式，删除" c:\documents and settings\当前用户\桌面\360保险箱.lnk"快捷方式，删除" c:\documents and settings\当前用户\桌面\360安全卫士.lnk"快捷方式，删除" c:\documents and settings\当前用户\桌面\360软件管家.lnk"快捷方式，删除" c:\documents and settings\当前用户\桌面\qq浏览器 5.lnk"快捷方式，
删除" c:\documents and settings\all users\「开始」菜单\qq浏览器5.lnk"快捷方式"快捷方式，删除" c:\documents and settings\all users\「开始」菜单\360安全浏览器 3.lnk"快捷方式"快捷方式，删除" c:\documents and settings\当前用户\桌面\修复360安全卫士.url"快捷方式，删除" c:\documents and settings\all users\桌面\修复瑞星软件.lnk"快捷方式，删除" c:\documents and settings\all users\桌面\瑞星杀毒软件.lnk"快捷方式，删除" c:\documents and settings\all users\桌面\瑞星个人防火墙.lnk"快捷方式，删除" c:\documents and settings\all users\桌面\360安全浏览器 3.lnk"快捷方式，

13.设置"c:\documents and settings\all users\「开始」菜单\程序\360杀毒"文件的系统隐藏属性，设置"c:\documents and settings\当前用户\「开始」菜单\程序\360保险箱"文件系统隐藏属性，设置"c:\documents and settings\当前用户\「开始」菜单\程序\360安全卫士"文件的系统隐藏属性，设置"c:\program files\kaspersky lab"文件的系统隐藏属性，设置" c:\documents and settings\all users\「开始」菜单\程序\瑞星个人防火墙"文件的系统隐藏属性，设置" c:\documents and settings\all users\「开始」菜单\程序\瑞星个人防火墙"文件的系统隐藏属性，设置" c:\documents and settings\all users\「开始」菜单\程序\瑞星杀毒软件"文件的系统隐藏属性，设置"c:\documents and settings\当前用户\「开始」菜单\程序\腾讯软件\qq浏览器 5"文件系统隐藏属性，设置"c:\documents and settings\all users\「开始」菜单\程序\360安全浏览器 3"文件系统隐藏属性，设置"c:\documents and settings\当前用户\「开始」菜单\程序\卡巴斯基反病毒软件 7.0"文件系统隐藏属性，设置"c:\documents and settings\当前用户\「开始」菜单\程序\卡巴斯基反病毒软件 2010"文件系统隐藏属性，设置"c:\documents and settings\当前用户\「开始」菜单\程序\卡巴斯基反病毒软件 2009"文件系统隐藏属性，设置"c:\documents and settings\ all users \「开始」菜单\程序\卡巴斯基反病毒软件 2010"文件系统隐藏属性，设置"c:\documents and settings\ all users \「开始」菜单\程序\卡巴斯基反病毒软件 7.0"文件系统隐藏属性，设置"c:\documents and settings\ all users \「开始」菜单\程序\卡巴斯基反病毒软件 2009"文件系统隐藏属性，设置" c:\documents and settings\当前用户\桌面\卡巴斯基反病毒软件 2009.lnk"快捷方式的系统隐藏属性，设置" c:\documents and settings\当前用户\桌面\卡巴斯基反病毒软件 2010.lnk"快捷方式的系统隐藏属性，设置" c:\documents and settings\ all users \桌面\卡巴斯基反病毒软件 2009.lnk"快捷方式的系统隐藏属性，设置" c:\documents and settings\ all users \桌面\卡巴斯基反病毒软件 2010.lnk"快捷方式的系统隐藏属性。

14.建立注册表信息：
hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}
名称：infotip    数据：@shdoclc.dll,-881
名称：localizedstring  数据：@shdoclc.dll,-880

hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}\shell\openhomepage\command
名称：默认
数据：iexplore.exe http://www.sfc006.com/?activex

hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}\shell\属性(&r)\command
名称：默认
数据：rundll32.exe shell32.dll,control_rundll inetcpl.cpl,,0
  
hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}\shell\openhomepage
名称：默认     数据：打开ag旗舰厅首页主页
名称：muiverb  数据：@shdoclc.dll,-10241
  
hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}\shellex\contextmenuhandlers\ieframe
名称：默认
数据：{871c5380-42a0-1069-a2ea-08002b30309d}
  
hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}\shellfolder
名称：attributes   
数据：0
  
hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}\shell
名称：openhomepage
数据：默认
  
hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}\inprocserver32
名称：默认        数据：%systemroot%\system32\shdocvw.dll
名称：threadingmodel        数据：apartment

hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}\defaulticon
名称：默认
数据：shdoclc.dll,-190

hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}\infotip
名称：默认
数据：@shdoclc.dll,-881

hkey_local_machine\software\classes\clsid\{f986cc17-37c0-4585-b7d9-15f2161f0584}\localizedstring
名称：默认
数据：@shdoclc.dll,-880

hkey_local_machine\software\microsoft\windows\currentversion\explorer\desktop\namespace\{f986cc17-37c0-4585-b7d9-15f2161f0584}\inprocserver32

hkey_local_machine\software\microsoft\windows\currentversion\explorer\hidedesktopicons\newstartpanel
名称：{871c5380-42a0-1069-a2ea-08002b30309d}
数据：1

hkey_local_machine\software\microsoft\windows\currentversion\explorer\hidedesktopicons\classicstartmenu
名称：{871c5380-42a0-1069-a2ea-08002b30309d}.default
数据：0

15.遍历文件，查找" c:\documents and settings\当前用户\桌面\internet explorer.lnk"，"c:\documents and settings\当前用户\桌面\改变你的一生.url"、" c:\documents and settings\当前用户\桌面\淘宝购物a.url"，" c:\documents and settings\all users\桌面\免费电影c.url "等快捷方式，更改其创建时间，并设置为系统隐藏属性。

16.遍历各个磁盘根目录，在各个目录下将病毒自身以拷贝的方式创建“my documamts.exe”文件。然后伪装成文件夹的形式，诱导用户点击该病毒文件。

17.删除注册表项信息：目的是使用户无法进入到安全模式：
hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}

hkey_local_machine\system\currentcontrolset\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}

hkey_local_machine\system\controlset001\control\safeboot\minimal\{4d36e969-e325-11ce-bfc1-08002be10318}

hkey_local_machine\system\controlset001\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}

病毒创建文件：

%systemroot%\system32\jnirelupeq\explorer.exe
%systemroot%\system32\xecpibaiia\smss.exe
%systemdriver%\gwyivodjab.txt（随机名）
%systemdriver%\hccguiacas.jpg（随机名）
%systemdriver%\tvaaixmniw.gif（随机名）
%systemdriver%\fyisyelrhy.doc（随机名）
%systemdriver%\qrkgwteuwg.bmp（随机名）
%systemdriver%\program files\common files\bosc.dll
%systemdriver%\q9q.dll
%systemroot%\system32\drivers\kpscc.sys
x:\ my documamts.exe(各个磁盘根目录)
%programfiles%\tencent\qq\bin\shareds.dll
%programfiles%\tencent\qq\bin\tasktray.dll
%systemroot%\system32\drivers\etc\hosts
%systemdriver%\recycler\winlogon.exe
%systemroot%\system32\ravext.dll
%systemroot%\system32\bsmain.exe

病毒创建注册表：

hkey_local_machine\software\thunder network\thunderoem\thunder_backwnd
名称：path
数据："c:\q9q.dll
hkey_local_machine\system\currentcontrolset\services\dmusic
名称：imagepath      
数据：\??\c:\windows\system32\drivers\kpscc.sys

hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer\run
名称：xecpibaiia
数据：c:\windows\system32\xecpibaiia\smss.exe

hkey_local_machine\software\microsoft\windows\currentversion\policies\explorer\run
名称：jnirelupeq
数据：c:\windows\system32\jnirelupeq\explorer.exe

hkey_classes_root\exefile
名称：nevershowext
数据：1

hkey_current_user\software\microsoft\windows\currentversion\policies\associations
名称：modriskfiletypes
数据：.exe

hkey_local_machine\system\controlset001\control\storagedevicepolicies
名称：writeprotect
数据：0

hkey_current_user\software\microsoft\windows\currentversion\explorer\hidedesktopicons\classicstartmenu
名称：{871c5380-42a0-1069-a2ea-08002b30309d}
数据：1

hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\~.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\safeboxtray.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360safe.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360safebox.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\360tray..exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ravcopy.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\avastu3.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\scanu3.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\avu3launcher.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\qqpcmgr.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\runiep.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rfwmain.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rfwsrv.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kavpf.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kpfw32.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\nod32kui.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\nod32.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\navapsvc.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\selfupdate.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\qqpcrtp.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\navapw32.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\avconsol.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\webscanx.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\npfmntor.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\vsstat.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\zjb.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ qqdoctormain.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ravtask.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ atpup.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ mmsk.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ wopticlean.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ qqkav.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ eghost.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ qqdoctor.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ regclean.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ fyfirewall.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ iparmo.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ adam.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kwsmain.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ icesword.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ 360rpt.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ agentsvr.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ appsvc32.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ autoruns.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ avgrssvc.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ dsmain.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ 360sd.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kwstray.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ knsd.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ avmonitor.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ccenter.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ccsvchst.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ filedsty.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ftcleanershell.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ hijackthis.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ iparmor.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ispwdsvc.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kswebshield.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kabaload.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kascrscn.scr
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kasmain.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kastask.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ antiu.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kav32.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kavdx.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kavpfw.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kavsetup.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ arswp2.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kislnchr.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kmailmon.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kmfilter.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kpfw32x.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kpfwsvc.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kregex.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ksloader.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvcenter.kxp
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ arswp3.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvdetect.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvfwmcl.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvmonxp.kxp
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvmonxp_1.kxp
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvol.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvolself.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvscan.kxp
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvsrvxp.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvstub.kxp
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvupload.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvwsc.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvxp.kxp
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kvxp_1.kxp
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kwatch.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kwatch9x.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kwatchx.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ loaddll.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ magicset.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ pfw.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ mcconsol.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ qqpctray.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ nod32krn.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ pfwliveupdate.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ qhset.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ravstub.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ras.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ rfwcfg.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ rfwmain.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ rsagent.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ rsaupd.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ safelive.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ knsdave.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ irsetup.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ scan32.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ shcfg32.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ smartup.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ sreng.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ symlcsvc.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ syssafe.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ trojandetector.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ trojanwall.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kwsupd.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ uihost.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ umxagent.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ umxattachment.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ 360sdrun.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ umxcfg.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ umxfwhlp.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ umxpol.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ uplive.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ upiea.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ast.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ arswp.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ usbcleaner.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\rstrui.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kvreport.kxp
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\qqsc.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ghost.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\krepair.com
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\srengps.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\xdelbox.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kpfw32.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kavstart.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\knsdtray.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kpfwsvc.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\kmailmon.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kissvc.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ appdllman.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ sos.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ufo.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ tnt.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ niu.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ xp.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ wsyscheck.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ txomou.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ aoyun.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ auto.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ autorun.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ av.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ zxsweep.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ cross.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ discovery.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ guangd.ex
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kernelwind32.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ logogo.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kwatch.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ qqdoctorrtp.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ navsetup.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ pagefile.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ pagefile.pif
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ rfwproxy.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ sdgames.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ servet.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ kavstart.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ mmqczj.ex
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ trojdie.kxp
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ravmond.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ rav.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ ravmon.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ rstray.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ scanfrm.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ rsnetsvr.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ arswp2.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ arswp3.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ zhudongfangyu.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ 799d.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ stormii.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ tmp.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ jisu.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ filmst.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ qheart.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ qsetup.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ sxgame.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ wbapp.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ pfserver.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ qqpcsmashfile.exe
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ avp.com
hkey_local_machine\software\microsoft\windows nt\currentversion\image file execution options\ avp.exe

病毒删除注册表：

hkey_local_machine\system\currentcontrolset\control\safeboot\minimal\{4d36e967-e325-11ce-bfc1-08002be10318}

hkey_local_machine\system\currentcontrolset\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}

hkey_local_machine\system\controlset001\control\safeboot\minimal\{4d36e969-e325-11ce-bfc1-08002be10318}

hkey_local_machine\system\controlset001\control\safeboot\network\{4d36e967-e325-11ce-bfc1-08002be10318}

hkey_classes_root\*\shellex\contextmenuhandlers\sd360

hkey_classes_root\directory\shellex\contextmenuhandlers\sd360

hkey_classes_root\folder\shellex\contextmenuhandlers\sd360

hkey_classes_root\*\shellex\contextmenuhandlers\risingravext

hkey_classes_root\directory\shellex\contextmenuhandlers\risingravext

hkey_classes_root\folder\shellex\contextmenuhandlers\risingravext


病毒修改注册表：

hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced
名称：showsuperhidden
数据：0

hkey_current_user\software\microsoft\windows\currentversion\explorer\hidedesktopicons\newstartpanel
名称: {871c5380-42a0-1069-a2ea-08002b30309d}
数据：0

病毒访问网络:

url=http://www.vo***77.com